CVE-2022-23082 (GCVE-0-2022-23082)
Vulnerability from cvelistv5
Published
2022-05-31 14:40
Modified
2024-09-17 02:42
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
In CureKit versions v1.0.1 through v1.1.3 are vulnerable to path traversal as the function isFileOutsideDir fails to sanitize the user input which may lead to path traversal.
References
vulnerabilitylab@mend.iohttps://github.com/whitesource/CureKit/commit/af35e870ed09411d2f1fae6db1b04598cd1a31b6Patch, Third Party Advisory
vulnerabilitylab@mend.iohttps://www.mend.io/vulnerability-database/CVE-2022-23082Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/whitesource/CureKit/commit/af35e870ed09411d2f1fae6db1b04598cd1a31b6Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.mend.io/vulnerability-database/CVE-2022-23082Vendor Advisory
Impacted products
Vendor Product Version
WhiteSource CureKit Version: v1.0.1   < unspecified
Version: unspecified   <
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:28:43.268Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/whitesource/CureKit/commit/af35e870ed09411d2f1fae6db1b04598cd1a31b6"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.mend.io/vulnerability-database/CVE-2022-23082"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "CureKit",
          "vendor": "WhiteSource",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "v1.0.1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "v1.1.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jonathan Leitschuh"
        }
      ],
      "datePublic": "2022-05-31T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In CureKit versions v1.0.1 through v1.1.3 are vulnerable to path traversal as the function isFileOutsideDir fails to sanitize the user input which may lead to path traversal."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-01T09:30:12",
        "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "shortName": "Mend"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/whitesource/CureKit/commit/af35e870ed09411d2f1fae6db1b04598cd1a31b6"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.mend.io/vulnerability-database/CVE-2022-23082"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to version V1.1.4"
        }
      ],
      "source": {
        "advisory": "https://www.mend.io/vulnerability-database/",
        "discovery": "UNKNOWN"
      },
      "title": "CureKit - Path Traversal in isFileOutsideDir",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
          "DATE_PUBLIC": "2022-05-31T13:20:00.000Z",
          "ID": "CVE-2022-23082",
          "STATE": "PUBLIC",
          "TITLE": "CureKit - Path Traversal in isFileOutsideDir"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "CureKit",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_value": "v1.0.1"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "v1.1.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "WhiteSource"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Jonathan Leitschuh"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In CureKit versions v1.0.1 through v1.1.3 are vulnerable to path traversal as the function isFileOutsideDir fails to sanitize the user input which may lead to path traversal."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/whitesource/CureKit/commit/af35e870ed09411d2f1fae6db1b04598cd1a31b6",
              "refsource": "MISC",
              "url": "https://github.com/whitesource/CureKit/commit/af35e870ed09411d2f1fae6db1b04598cd1a31b6"
            },
            {
              "name": "https://www.mend.io/vulnerability-database/CVE-2022-23082",
              "refsource": "MISC",
              "url": "https://www.mend.io/vulnerability-database/CVE-2022-23082"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Upgrade to version V1.1.4"
          }
        ],
        "source": {
          "advisory": "https://www.mend.io/vulnerability-database/",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
    "assignerShortName": "Mend",
    "cveId": "CVE-2022-23082",
    "datePublished": "2022-05-31T14:40:10.184672Z",
    "dateReserved": "2022-01-10T00:00:00",
    "dateUpdated": "2024-09-17T02:42:40.198Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-23082\",\"sourceIdentifier\":\"vulnerabilitylab@mend.io\",\"published\":\"2022-05-31T15:15:07.887\",\"lastModified\":\"2024-11-21T06:47:56.650\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In CureKit versions v1.0.1 through v1.1.3 are vulnerable to path traversal as the function isFileOutsideDir fails to sanitize the user input which may lead to path traversal.\"},{\"lang\":\"es\",\"value\":\"En CureKit, versiones v1.0.1 hasta v1.1.3 son vulnerables al path traversal ya que la funci\u00f3n isFileOutsideDir no sanea la entrada del usuario, lo que puede llevar al path traversal.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"vulnerabilitylab@mend.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"vulnerabilitylab@mend.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mend:curekit:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.0.1\",\"versionEndIncluding\":\"1.1.3\",\"matchCriteriaId\":\"85CDB90D-19D0-4AE0-B75A-B8FE8687225D\"}]}]}],\"references\":[{\"url\":\"https://github.com/whitesource/CureKit/commit/af35e870ed09411d2f1fae6db1b04598cd1a31b6\",\"source\":\"vulnerabilitylab@mend.io\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.mend.io/vulnerability-database/CVE-2022-23082\",\"source\":\"vulnerabilitylab@mend.io\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/whitesource/CureKit/commit/af35e870ed09411d2f1fae6db1b04598cd1a31b6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.mend.io/vulnerability-database/CVE-2022-23082\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.